The United States Cybersecurity and Infrastructure Security Agency released a series of security recommendations for reducing exposure across operational technologies and control systems. The alert comes after months of cyber attacks around the globe including the April attack on Israel’s water infrastructure and subsequent attacks on the nation’s critical infrastructure.
“Over recent months, cyber actors have demonstrated their continued willingness to conduct malicious cyber activity against critical infrastructure (CI) by exploiting internet-accessible operational technology (OT) assets,” the alert says. “Due to the increase in adversary capabilities and activity, the criticality to U.S. national security and way of life, and the vulnerability of OT systems, civilian infrastructure makes attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”
According to the security recommendations, attacks are becoming more prevalent due to easily accessible unsecured assets, the use of common, open-source information about devices, and an extensive list of exploits deployable via common exploit frameworks.
“Internet-accessible OT assets are becoming more prevalent across the 16 U.S. CI sectors as companies increase remote operations and monitoring, accommodate a decentralized workforce, and expand outsourcing of key skill areas such as instrumentation and control, OT asset management/maintenance, and in some cases, process operations and maintenance,” the alert says.
The alert identifies multiple tactics and techniques that have been used in recent attacks. These include spearphishing to obtain initial access to an organization’s information technology network before pivoting to the OT network. Additionally, attackers are deploying commodity ransomware to encrypt data for impact on both networks.
These attacks have resulted in loss of availability on OT networks, partial loss of view for human operators, loss of productivity and revenue, and disruption to physical processes.
“OT assets are critical to the Department of Defense (DoD) mission and underpin essential National Security Systems (NSS) and services, as well as the Defense Industrial Base (DIB) and other critical infrastructure,” the alert says. “At this time of heightened tensions, it is critical that asset owners and operators of critical infrastructure take the following immediate steps to ensure resilience and safety of U.S. systems should a time of crisis emerge in the near term.”
The alert recommends having a resilience plan for OT that identifies system and operational dependencies and removes functionality that could increase risk and expand the attack surface area. CISA also recommends planning for continued manual process operations in case industrial control systems become unavailable or need to be deactivated due to hostile takeover.
“Since the Ukraine cyberattack of 2015 organizations must assume in their planning of not only a malfunctioning or inoperative control system, but a control system that is actively acting contrary to the safe and reliable operation of the process,” the alert says.
CISA security recommendations suggest strongly that organizations exercise their incident response plans. This includes conducting tabletop exercises, identifying who has the authority to make key decisions under what circumstances, and reviewing service contracts and government services for emergency incident response and recovery support.
“In a state of heightened tensions and additional risk and exposure, it is critical to have a well-exercised incident response plan that is developed before an incident,” the alert says.
Organizations should also take steps to harden their networks. This includes fully patching all internet-accessible systems, using a validated inventory to investigate which OT devices are internet-accessible, and securing all required and approved remote access and user accounts.
“Remote connectivity to OT networks and devices provides a known path that can be exploited by cyber actors. External exposure should be reduced as much as possible,” the alerts says. “Remove access from networks, such as non-U.S. IP addresses, if applicable, that do not have legitimate business reasons to communicate with the system. Use publicly available tools, such as Shodan, to discover internet-accessible OT devices. Take corrective actions to eliminate or mitigate internet-accessible connections immediately.”